%
% Copyright (C) Håkan Lindqvist 2006, 2007.
% May be copied freely for educational and personal use. Any other use
% needs my written consent (i.e. no commercial use without my approval).
%

\label{chapter:problem solution}

\section{The problem}
Most, if not all, computer systems in use in the world today are
insecure in some respect. Research has shown that the security
technology currently deployed in the computer industry today is unable
to provide a sufficient level of protection for most 
systems~\cite{inevitability}. 

Acoording to \cite{inevitability} all systems use a
security model that is inherently nearly impossible to secure:
discretionary access control, or DAC. In that security model,
the owner of an object in the system, such as a file, has full control of whom
may access it. 
%
The fact that the resource owner controls the setting of access rights
associated with the resources which he/she owns,
open a wast amount of ways in which the system can be
rendered insecure due to abuse, accidents or misconfiguration. 

Due to the aforementioned problems with configuration etc, it is
argued in~\cite{inevitability} that instead the mandatory access control, or MAC,
security model should be used. In that model the right to access
objects is left exclusively to the operating system and can not be
circumvented by the users of the system. MAC implemented on an operating
system level defines an access policy in a system that, if defined
correctly, is impossible to circumvent, hence the argument is that it
provides a greater level of protection. 

The problem then becomes to plan and implement such a policy, or in the
place of a DAC system, make a policy that is as consistent, powerful and
complete as possible to compensate for the inherent flaws in the
protection mechanisms as far as possible.



\section{A part of the solution}
To construct a complete and sound policy
a modelling tool is quite valuable. Such a tool is a mathematically
sound algebra that is able to define what kind accesses that are acceptable
to and by different parts of a system. Moreover, to be practical, it
must be able to combine a set of policies in a correct way to
generate a resulting combined policy that complies with all of the
(partial) policies.

This handbook provides an extensive presentation of an algebra, with
both a theoretical description and practial examples to easy the
understanding of how it works.
The algebra itself was defined and presented
in~\cite{algebra, algebra_old}, but I've tried to make the presentation
of it more easily to grasp. Moreover I have added support for multilevel
security, which is a type of security policies that traditionally can be
found in military systems, but is also available in more recent work
such as in SELinux~\cite{selinux}.



\section{Another piece of the puzzle}
Although a theoretical construct is very valuable and a powerful tool
which can be used to model what is needed, it is very cumbersome to
handle without any kind of aid. Hence a tool set of some kind is needed,
to enable a computer to handle the reptetive and computational portions
of policy specification and handling. This is where the the ``Policy
Tool Suite'' comes into the picture. It aim to provide resonably usable
tools that can be used to express policies using the aforementioned
algebra with minimal effort.

The real power of the suite is that using the tools, policies may be
formulated at an arbitrary abstraction level; everything from the
highlevel view of personnel, equipment and systems down to individual
files and communication resources.



\section{Closing matters and real world issues}
Although a security policy can express what is desired, it is not an
implementation of any security, merely a specification. Hence, a policy
is to be considered a blue print of what should be implemented.

This is where mechanisms such as encryption, SELinux~\cite{selinux},
FreeBSD's MAC framwork~\cite{freebsd_mac}, firewalls etc. come into the
picture. Each of these may implement some portion of a policy to provide
the desired result in the real world outide of the theoretical module.
This last step, though, is largely outside of what this handbook will
cover.



